(ofbiz-framework) branch trunk updated: Improved: Better secure "openSourceFile" request-map (OFBIZ-13316)

Wed, 19 Nov 2025 09:05:26 -0800 

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/trunk by this push:
     new f82f2f54bc Improved: Better secure "openSourceFile" request-map  
(OFBIZ-13316)
f82f2f54bc is described below

commit f82f2f54bc01ee657ebc2b1531e62644346f33e8
Author: Jacques Le Roux <[email protected]>
AuthorDate: Wed Nov 19 17:57:25 2025 +0100

    Improved: Better secure "openSourceFile" request-map  (OFBIZ-13316)
    
    See OFBIZ-12018
---
 framework/common/webcommon/WEB-INF/common-controller.xml | 2 +-
 framework/widget/config/widget.properties                | 6 ++++--
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/framework/common/webcommon/WEB-INF/common-controller.xml 
b/framework/common/webcommon/WEB-INF/common-controller.xml
index b6ef970a15..0f6741b14a 100644
--- a/framework/common/webcommon/WEB-INF/common-controller.xml
+++ b/framework/common/webcommon/WEB-INF/common-controller.xml
@@ -337,7 +337,7 @@ under the License.
     </request-map>
 
     <request-map uri="openSourceFile">
-        <security https="false" auth="false"/>
+        <security https="true" auth="true"/>
         <event type="java" path="org.apache.ofbiz.common.CommonEvents" 
invoke="openSourceFile"/>
         <response name="success" type="none" />
         <response name="error" type="none" />
diff --git a/framework/widget/config/widget.properties 
b/framework/widget/config/widget.properties
index 85b424cc6e..4f966f8246 100644
--- a/framework/widget/config/widget.properties
+++ b/framework/widget/config/widget.properties
@@ -24,10 +24,12 @@
 # A setting of true will enable widget boundary comments. The true setting can 
be
 # overridden in an application's web.xml file or in the screen rendering 
context.
 # A setting of false will override all other settings and disable all widget
-# boundary comments. 
+# boundary comments.
 widget.verbose=true
 
-# Enable widget named border for development
+# Enable widget named border for development.
+# If you want to use this feature you need to set auth to "false" in the 
request-maps "openSourceFile" of common-controller.xml and ecommerce controller.
+# Of course don't set auth to "false" in production !
 # NONE - For production where no named border will be shown.
 # LABEL - Show named border
 # SOURCE - Show named border with link to open the source code

Reply via email to